After the announcement that ModSecurity was purchased by Breach Security I decided to email Ivan and ask him a few questions that many of us are wondering regarding the future of modsecurity.
How will the sale of ModSecurity to breach affect existing users?
"There are going to be many positive changes resulting from this sale. Development is going to accelerate as we will have one developer assigned to working on the code full time, and that's in addition to me having more time to spend on development. The documentation and community support are going improve too, as we are going to have someone dedicated full-time to growing and nurturing the community. The latter is very significant as I have come to the conclusion that the interaction with the community is the main opportunity for further expansion. Web application security is complicated due to the dynamic environment and the web application firewalls protecting those applications must manage a changing environment. Right now ModSecurity is difficult to use for some because there are no wizards and no implicit protection facilities. Users must have a high level of expertise. While this works well for the professionals, I want to make ModSecurity an equally suitable solution for people who are not web application security gurus but have an equally important need to protect themselves, while minimising their time investment in the process.
I also believe the ModSecurity users are going to benefit from the commercial offerings. They will have the option to purchase a commercially supported version of ModSecurity from an organisation with broad reach to places I previously could not support. That, and the range of appliances we will come out with, will ensure the users have a very wide choice of deployment options.
Our first appliance, expected in November, is going to be *very* affordable. Breach Security want to continue to pursue the main goal of the ModSecurity project, and that is to make web application firewalls accessible to everyone. This, of course, makes me personally very happy as it's a goal I've been working on for some years now."
Will future versions of ModSecurity be closed source?
"No. ModSecurity for Apache is going to remain open source. Not only that, but the open source version is where the improvements are going to continue to be added, meaning the community is going to get them straight away.
I know this question – “will product remain open source?” - is what many think about in situations like this . Breach Security are committed to keeping ModSecurity open source, but you don't have to take my (or anyone's) word for it. Just wait and see. Actions are always stronger than words. Also, as many have pointed out before me, open source products do not die unless the community wants them to die."
How will the licensing model be affected?
"The licensing model is not going to be affected. ModSecurity was always available under two licences and that will not change. The open source version uses GPLv2. There is also the commercial licence, which we are going to use for the commercial version of ModSecurity. The commercial version of ModSecurity is going to be based on the same code base with added services and more responsibilities on our part (e.g. support with a service level agreement, support for the ruleset, etc)."
What are the terms of the acquisition?
What are Breach Security's plans for ModSecurity and when will we expect to see those changes?
"The main plan is to give the project the resources it needs to continue to develop. For this we need to find the right people and we have already started to look. The ultimate plan is, as it has always been, to make ModSecurity into the best possible open source web application firewall.
The project is already benefiting because an independent security code review of the ModSecurity 2.0 code base it taking place before the product is released (on October 2nd). Breach Security has also decided to make the ModSecurity Console (limited to supporting 3 sensors) available for free for a limited time. Finally, we are going to release the certified rule set to the community and make it part of the core product. This, the rules, is a feature every member of the community we talked to requested."
Boxers or briefs?
"Briefs. Too much freedom is not necessarily a good thing."
Additional information about the acquisition can be found at this blog at http://www.modsecurity.org/blog/archives/2006/09/modsecurity_has.html